Storing static string secure

I want to store static NSString securely. I am storing in plist file but its not secure as it can retrieved if anyone gets IPA. Is there any way to store a string or token securely?

Replies

There is encryption and signing. You encrypt to hide the string from others. You sign so that others can't change the strings. Which do you want?


To sign, you add a "secret salt string" to your publicly visible objects and create an NSData object by:

    NSData *data =[NSPropertyListSerialization dataWithPropertyList:fullArray format:NSPropertyListXMLFormat_v1_0 options:0 error:&error ];

then you determine the hash of that data using CC_SHA1 in <CommonCrypto/CommonDigest.h>. Then you transmit the hash along with the publicly visible objects (but not the "secret salt string". The recipient adds the "secret salt string" and checks the hash.


To encrypt you can use a function like AES256DecryptWithKey: I am not sure how to link to that function - search stack overflow for that. If you do that you will have an issue with exportation.

NSData *data =[NSPropertyListSerialization dataWithPropertyList:fullArray format:NSPropertyListXMLFormat_v1_0 options:0 error:&error ];


In the above line, I assume that fullArray is coming from the server or local plist. If its from local plist, then we can easliy retrive from IPA file. I want to store the static string which shouldn't be retrived from IPA file.

I‘m not sure how easy it is to extract a value from an ipa. But you can always store it modified in some way and then unmodify it as the app runs. For example, add characters in various locations and remove them on launch - the word ‘hello world’ could be stored as ‘hzzzezzzlzzzzozzz zzzwzzzozzzrzzzlzzzdzzz’ as a trivial example.


What specifically are you trying to accomplish?

I am trying to store the hardcode app token securely so that token wont be readable when someone gets IPA file.

Oh, by the way, your other thread on the required entry in the info.plist to trigger that warning on the App Store, the one in the Goggle Maps app, seems to have disappeared.

Add characters to the token in location 3 and 13. Then hardcode removing those two characters.

Quoting the docs: "The keychain is the best place to store small secrets"


See: https://developer.apple.com/documentation/security/certificate_key_and_trust_services/keys/storing_keys_in_the_keychain

You keep writing ‘Store securely’. That is a good question and you received two answers 1) in the keychain and 2) by adding or changing certain characters so only your app’s hard code can decode it. But your real question is ‘how can I place a secret token in my app’ and for that question only #2 is applicable.

Can't we place a secret key securely using keychain?

>Can't we place a secret key securely using keychain?


Yes you can. But you need to obtain the key and place it in the keychain. How will you obtain the key?

If you include it in an unhidden form in your app's code then you have to be concerned that someone can inspect your app and extract the code. A simple way to avoid this is stated above; add false information to the key and have the apps code remove that false information before storing it in the keychain. Here are 2 examples of encoding the secret word "IBM":


1) "HAL" - your app adds one to each letter

2) "everyIfifthBleterMsic" - your app extracts every fifth letter

Key/token will not come from sever. It will be hardcoded in the source code, thats why I raised this question. Is it worth to encrypyt the harcoded key/token by saving in keychain?


Can you eloborate more about the following two approach or any link which explains this would be better.


1) "HAL" - your app adds one to each letter

2) "everyIfifthBleterMsic" - your app extracts every fifth letter

If you are worried about someone extracting the token from your ipa file then simply hide it as described in #1 or #2 or use "pig latin". It's not that complicated. If you are going to store the unmodified token anywhere then only store it in the keychain.


>Can you eloborate more about the following two approach or any link:


1) "HAL" - take "H" and look it up in the alphabet. The next letter is "I". Replace the H with I. Then do the same on the A and replace it with a B. Then do the same thing on the L and replace it with M - IBM. If you wanted to hide "123" it would be "012"


2) take "everyIfifthBleterMsic" and delete the first 5 characters (every) and keep the next character (I) then do that again deleting (fifth) and keeping B then again deleting (leter) and keeping M then do it again deleting (sic) and you are left with IBM. If you wanted to hide 123 it would be 562971234592716543


aaaaaNbbbbbOccccc dddddLeeeeeIfffffNgggggK

NJ?

Thanks for explaining the two approaches "HAL" and "everyIfifthBleterMsic.


>If you are going to store the unmodified token anywhere then only store it in the keychain.


I believe keychains are useful to store the data if it comes from server. I wanted to know whether storing the hardcoded string in keychain is really useful.

I think this approach will not protect the key/token if someone gets IPA file. .plist files not encrypted and so reverse engineering the IPA file will give the key.

Decode this token. I will give you a hint below but try it without the hint first.

The Token is a 3 digit number somewhere in the following string which you may place in your plist:


NSString *theCode=@"75635393673528263526547283181367161846";



Hint:

In my app I have the following line:

NSString *theToken=[[theCode substringFromIndex:16] substringToIndex:3];

but there is no way you can read that line in my code.